Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Modify JS script to all templates for z3950_search.tt and reduce the
redundant code
This patch propose:
-z3950_auth_search.tt has various onclick events used in links.
Also fix: acqui/z3950_search.tt and cataloguing/z3950_search.tt
-Trigger onclick events via JQuery .on()
-Make a separate .js and .inc file
-Reduce the number of line and redundant code
-Also add Font Awesome Icons to "Select/Clear all" and "Clear search
form" links
To test:
1-Apply bug 16600 on top
2-Apply patch
3-Go to Authorities > click New from Z39.50
4-Fill some fields and click in "Clear search form" link
5-Search under "Dalton" or another author that launch too many headings
6-Clic in some heading and notice the dialog open, test: "Preview MARC",
ISBD (when showed), "Import" and close the dialog "X". Use the
"Import" from table too.
7-Use the "next/previous page" button, change "Go to page" to number in and
out of the range presented, also test whit a letter, etc.
Go to Cataloging > New from Z39.50/SRU
Repeat steps 3 to 6. But this time with bib records.
Go to Adquisition > Open or Create a basket and choose to "Add to basket"
button. A modal appear, chose the option "Order from external source"
Repeat steps 3 to 6. But this thime with bib records.
NOTE: The icon trash for "Clear search form" has been selected according
with module "Advanced search" there is an icon trash with link "Clear
fields" that has the same fuctionality.
For some reason the image loading-small.gif does not charge all times
when the code is get out of the template. (Fixed with this new patch)
DataTable it is specific for each template
Sponsored-by: Universidad de El Salvador
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
